Gene Testing Questioned By Regulators

Regulators are cracking down on companies that sell genetic tests directly to consumers, threatening to crimp the growth of one of the hottest sectors of the biotechnology industry.

The California Department of Public Health sent ”cease and desist” letters to 13 genetic testing companies two weeks ago, telling them they could not solicit business from state residents. The companies include the early leaders in the field — 23andMe, Navigenics and deCode Genetics — which are trying to carve out a new business of offering personal genetic information for use in health and lifestyle planning.

Can We Trust Google With Our Medical Records?

When my mom was battling cancer, she decided to seek additional input from a cancer center miles away. She went to her oncologist to collect her medical records, only to discover they were stored in several different places. My mom was weak and sick from chemotherapy, yet she traipsed from hospital to hospital to collect medical files, pathology reports and scan films. I remember her saying at the time, “Why can’t they all be in one place?”
Experiences like this have convinced me of the benefits of electronic medical records. Imagine how much easier it would have been for my mom to just send an electronic version of her medical files to the cancer center.
But now that big companies like Microsoft and Google are getting into the medical record storage business, a fascinating piece in this week’s New England Journal of Medicine raises important questions about whether medical privacy rules should be extended to these private firms. All you have to do is order a book on Amazon and you can quickly see how every move you make online is tracked by marketers.

Warning on Storage of Health Records

In an article in The New England Journal of Medicine, two leading researchers warn that the entry of big companies like Microsoft and Google into the field of personal health records could drastically alter the practice of clinical research and raise new challenges to the privacy of patient records.

The authors, Dr. Kenneth D. Mandl and Dr. Isaac S. Kohane, are longtime proponents of the benefits of electronic patient records to improve care and help individuals make smarter health decisions.

Worker Charged in Hospital File Thefts

An employee of NewYork-Presbyterian Hospital/Weill Cornell Medical Center was charged on Saturday in federal court in Manhattan with stealing nearly 50,000 patient files and selling some of them, according to a criminal complaint.

The worker, Dwight McPherson of the Bronx, was accused of stealing records as early as March 2006.

As a patient admissions representative at the hospital, Mr. McPherson, 38, had access to a patient information database. The stolen documents included patients’ names, phone numbers and Social Security numbers, but a hospital spokeswoman, Myrna Manners, said they probably did not contain medical information.

California Hospital Faces Sanctions After Workers Wrongly Looked at Patient Records

The private records of more than 60 patients, including the actress Farrah Fawcett and the state’s first lady, Maria Shriver, were improperly viewed by workers.

The center, one of the country’s leading medical institutions, learned last May that the security of the medical records had been breached after The National Enquirer printed an article about a recurrence of Ms. Fawcett’s cancer before she had told family members.

As soon as Ms. Fawcett’s lawyers notified hospital officials that they feared her medical records had been leaked to one or more tabloid newspapers, the center began an investigation, said Roxanne Moster, a spokeswoman.

The investigation revealed that records of 61 patients, roughly half celebrities or politicians, had been opened by one unauthorized worker who had since quit. “There was intent to terminate,” Ms. Moster said, “and I believe it was going on when she resigned.”

Ms. Moster said there was no evidence that the employee, whom she would not name, revealed medical information about Ms. Fawcett or anyone else to reporters.

“I know that the internal investigation looked at her e-mail records, her phone records, and they did try to determine whether any information was inappropriately given,” she said. “There wasn’t any solid evidence that she did give out that information.”

Ms. Moster said that in a separate incident in February, several employees were suspended or fired after an internal audit revealed another violation of a patient’s records. She would not identify the patient, but The Los Angeles Times reported that it was the singer Britney Spears, who was admitted to the medical center’s neuropsychiatry unit earlier this year.

The hospital did not notify the California Health and Human Services Agency of the violations, Ms. Moster said, because officials thought the center was obligated under state law to report only medical errors. “We are cooperating fully with the department of public health moving forward,” she said.

The state agency, which oversees the licensing and certification of hospitals, has begun its own investigation, said its secretary, Kim Belshé.

Patient privacy rights are protected under a variety of state and federal laws. The medical center could be fined or have its licenses taken away. Also, the state’s findings could be referred to law enforcement officials.

“It appears that we have a pattern of repeated violations, and that is very troubling, and we take that very seriously,” Ms. Belshé said. “It is not a question of will we take action but determining what action to take.”

Ms. Moster said the hospital was working to ensure that the episodes would not be repeated. “Our concern for our patients is absolute,” she said, “And we regret any breach of patient confidentiality.”

Lawyers and publicists for Ms. Fawcett and Ms. Spears did not return telephone calls Monday seeking comment.

More Snooping Into UCLA Medical Records

California first lady Maria Shriver is among more than 30 celebrities and other high-profile patients who had their confidential records breached at UCLA Medical Center, medical officials said.
The woman responsible, whose name was not released, is the same employee who sneaked into actress Farrah Fawcett’s medical records, officials told the Los Angeles Times on Sunday.
That worker was fired in May 2007 after UCLA learned of the widespread breaches, but patients were not notified, the hospital said.
In all, the woman improperly looked at 61 patients’ medical records in 2006 and 2007, according to state and local medical officials. These included Fawcett, Shriver, and 31 other politicians, celebrities and other well-known people, the paper said. Names of the other patients were not disclosed.
The head of the UCLA Hospital System, Dr. David Feinberg, apologized for the breaches and said the woman behind them had been a ”rogue” employee.
Fawcett is battling cancer. Her attorney, Kim Swartz, said last week that after an employee at the hospital accessed Fawcett’s medical records, details about her treatment showed up in the National Enquirer.
But Feinberg told the Times that the hospital reviewed the fired employee’s e-mails and phone calls and found no evidence any confidential medical information was shared inappropriately.
After being informed last week that his wife’s medical records had been accessed, Gov. Arnold Schwarzenegger issued a statement saying that ”a breach of any patient’s medical records is outrageous.” Besides being California’s first lady, Shriver is a former NBC newswoman and a member of the Kennedy family.
The secretary of the California Health and Human Services Agency, Kim Belshe, said Sunday that her agency is ”very concerned about what appears to be a pattern of repeated violations.”
The state will be taking action against UCLA, she said.
UCLA did not let state officials know about the breaches last year. Kathleen Billingsley of the Center for Healthcare Quality said a state investigator on Friday came across a document with the names of those patients affected.
Feinberg said hospital officials initially concluded that alerting authorities and the patients involved was not required. They are reconsidering whether to notify the patients because of the recent disclosures, he said.
The news of the snooping into Fawcett’s medical records became public on Wednesday, a few weeks after the hospital announced that several employees were fired for peeking at pop star’s Britney Spears’ files.

The Already Big Thing on the Internet: Spying on Users

In 1993, the dawn of the Internet age, the liberating anonymity of the online world was captured in a well-known New Yorker cartoon. One dog, sitting at a computer, tells another: “On the Internet, nobody knows you’re a dog.” Fifteen years later, that anonymity is gone.
It’s not paranoia: they really are spying on you.
Technology companies have long used “cookies,” little bits of tracking software slipped onto your computer, and other means, to record the Web sites you visit, the ads you click on, even the words you enter in search engines — information that some hold onto forever. They’re not telling you they’re doing it, and they’re not asking permission. Internet service providers are now getting into the act. Because they control your connection, they can keep track of everything you do online, and there have been reports that I.S.P.’s may have started to sell the information they collect.
The driving force behind this prying is commerce. The big growth area in online advertising right now is “behavioral targeting.” Web sites can charge a premium if they are able to tell the maker of an expensive sports car that its ads will appear on Web pages clicked on by upper-income, middle-aged men.
The information, however, gets a lot more specific than age and gender — and more sensitive. Tech companies can keep track of when a particular Internet user looks up Alcoholics Anonymous meetings, visits adult Web sites, buys cancer drugs online or participates in anti-government discussion groups.
Serving up ads based on behavioral targeting can itself be an invasion of privacy, especially when the information used is personal. (“Hmm … I wonder why I always get those drug-rehab ads when I surf the Internet on Jane’s laptop?”)
The bigger issue is the digital dossiers that tech companies can compile. Some companies have promised to keep data confidential, or to obscure it so it cannot be traced back to individuals. But it’s hard to know what a particular company’s policy is, and there are too many to keep track of. And privacy policies can be changed at any time.
There is also no guarantee that the information will stay with the company that collected it. It can be sold to employers or insurance companies, which have financial motives for wanting to know if their workers and policyholders are alcoholics or have AIDS.
It could also end up with the government, which needs only to serve a subpoena to get it (and these days that formality might be ignored).
If George Orwell had lived in the Internet age, he could have painted a grim picture of how Web monitoring could be used to promote authoritarianism. There is no need for neighborhood informants and paper dossiers if the government can see citizens’ every Web site visit, e-mail and text message.
The public has been slow to express outrage — not, as tech companies like to claim, because they don’t care about privacy, but simply because few people know all that is going on. That is changing. “A lot of people are creeped-out by this,” says Ari Schwartz, a vice president of the Center for Democracy and Technology. He says the government is under increasing pressure to act.
The Federal Trade Commission has proposed self-regulatory guidelines for companies that do behavioral targeting. Anything that highlights the problem is good, but self-regulation is not enough. One idea starting to gain traction in Congress is a do-not-track list, similar to the federal do-not-call list, which would allow Internet users to opt out of being spied on. That would be a clear improvement over the status quo, but the operating principle should be “opt in” — companies should not be allowed to track Internet activities unless they get the user’s expressed consent.

Safeguarding Private Medical Data

Almost 2,500 patients taking part in a federal medical trial recently had their private health data compromised when a researcher’s laptop computer was stolen. The National Institutes of Health, which was responsible for safeguarding the data, made things worse by delaying in notifying the patients.

This disturbing incident underscores the need for a strong federal law to protect medical privacy and for greater responsibility by those who handle sensitive medical information.

In late February, a laptop belonging to a researcher at the N.I.H.’s National Heart, Lung and Blood Institute was stolen from the trunk of his car. It contained information about heart disease patients, including their names, dates of birth and diagnoses of their medical conditions. The data was not encrypted as it should have been, which made it possible for an outsider to read. The N.I.H. waited roughly a month before notifying the patients whose data was lost.

The release of this information is serious. Heart patients probably do not want their employers or insurance companies, among others, to know the details of their conditions. The breach is also a setback for medical research. Patients are likely to be reluctant to participate in clinical trials if their privacy is not respected.

We’ve been down this road before. In 2006, a laptop was stolen from the home of a Department of Veterans Affairs employee. It contained Social Security numbers and birth dates for millions of veterans and military personnel. The Veterans Affairs inspector general later strongly criticized the department’s procedures and its nearly three-week delay in notifying the victims.

The National Heart, Lung and Blood Institute’s director, Dr. Elizabeth Nabel, says she deeply regrets the breach, and she blames the delay in notifying the patients on an independent review board that set the schedule. Dr. Nabel says the institute is now double-checking that data is properly encrypted and reviewing whether the researcher involved should be disciplined.

These are good steps, but a larger solution is needed. There should be a federal law imposing strict privacy safeguards on all government and private entities handling medical data. Congress should pass a bill like the Trust Act, introduced by Representative Edward Markey, a Democrat of Massachusetts, imposing mandatory encryption requirements and deadlines for notifying patients when their privacy is breached. As the N.I.H. has shown, medical privacy is too important to be left up to the medical profession.

Physician, Upgrade Thyself

Go into almost any medical office, hospital or clinic in the United States and your records will still be handled the old-fashioned way — on paper. You can use a computer to pay your taxes, to program your TiVo or to read a message from your great-aunt, but your doctor has to practically level a forest just to examine your medical files. The cost, however, isn’t calculated in trees but in human lives: Electronic medical records would reduce the risk of medical errors and spare hospitals the expense of missing records and unnecessary treatment.

Health care providers have been dreaming about electronic records for so long that the idea has begun to seem like vaporware, a never-to-be-realized fantasy similar to flying cars and jetpacks. But there is already a clear software standard, an open-source system that’s low-cost, easy to use and readily available. It could be the key to the health care system we ought to have already.

The program, WorldVistA, is based on the Veterans Affairs Department’s electronic-records system, called VistA (short for Veterans Health Information Systems and Technology Architecture — and yes, they beat Bill Gates to the name). VistA stands as perhaps the greatest success story for government-developed information technology since the Internet itself.

Using the VistA record system, the veterans department has managed to improve nearly every benchmark of quality in health care. In a decade, the department increased its pneumonia vaccination rate among at-risk patients to 94 percent from only 29 percent. That translates into 6,000 saved lives and $40 million saved each year from fewer pneumonia hospitalizations. On a host of other benchmarks — beta blocker use, cancer screening, cholesterol screening and so on — the department outperforms the nation’s best care.

{WorldVista is simple, easy, to use, lowers costs, and improves health of veterans, but it also completely violates veterans’ legal and ethical rights to medical privacy, by exposing the medical records of veterans and their dependents to identity theft and discrimination by private corporations and future employers. These violations of privacy occur because the corporations that use, handle, and store VA patient data can sell their data.  The Amended HIPAA Privacy Rule allows any of over 4 million health-related businesses and government agencies to use
electronic medical records for any business purpose without patient consent. The author has no idea how much identifiable patient data hemorrhages out of the offices and hospitals where patients are treated and into the commercial data marketplace where it is purchased by drug companies, large employers, and insurers to discriminate against patients who have sought medical care. The elimination of medical privacy will devastate the veterans of Iraq, who have experienced mental illness and addiction as a result of war trauma. Who will hire these vets after they leave the military when their mental health records are available for commercial surveillance? ~ Dr. Deborah Peel, Patient Privacy Ri

Suit Sheds Light on Clintons’ Ties to a Benefactor

When former President Bill Clinton and Senator Hillary Rodham Clinton took a family vacation in January 2002 to Acapulco, Mexico, one of their longtime supporters, Vinod Gupta, provided his company’s private jet to fly them there. The company, infoUSA, one of the nation’s largest brokers of information on consumers, paid $146,866 to ferry the Clintons, Mr. Gupta and others to Acapulco and back, court records show. During the next four years, infoUSA paid Mr. Clinton more than $2 million for consulting services, and spent almost $900,000 to fly him around the world for his presidential foundation work and to fly Mrs. Clinton to campaign events.

Those expenses are cited in a lawsuit filed late last year in a Delaware court by angry shareholders of infoUSA, who assert that Mr. Gupta wasted the company’s money trying “to ingratiate himself” with his high-profile guests.

The disclosure of the trips and the consulting fees is just a small part of a broader complaint about the way Mr. Gupta has managed his company. But for the former president, and for the senator who would become president, it offers significant new details about their relationship with an unusually generous benefactor whose business practices have lately come under scrutiny.

In addition to the shareholder accusations, The New York Times reported last Sunday that an investigation by the authorities in Iowa found that infoUSA sold consumer data several years ago to telemarketing criminals who used it to steal money from elderly Americans. It advertised call lists with titles like “Elderly Opportunity Seekers” or “Suffering Seniors,” a compilation of people with cancer or Alzheimer’s disease. The company called the episodes an aberration and pledged that it would not happen again.

{This story about a shareholder lawsuit against infoUSA reveals not only the huge financial power of firms like infoUSA, which illegally sell health and financial information about vulnerable elderly Americans, but the fact that data mongers like infoUSA are playing politics at the highest levels. infoUSA has provided private plane flights and millions of dollars annually in consulting fees to the Clintons, in addition to making substantial political contributions to both Clinton campaigns. These corporations do not want Congress to outlaw the lucrative business of selling Americans’ most sensitive information: medical records. Our challenge is to make sure the American people know about these blatantly illegal data thefts of health records by commercial data aggregators and data mining corporations. America has a long tradition of guarding citizens’ rights to medical privacy; which are embodied by state laws, common law, Constitutional law, the physician-patient privilege, the Hippocratic Oath, and medical ethics. We must urge Congress to step in and restore the privacy rights we have had since the founding of this nation and stop the illegal data mining of our medical records. ~ Dr. Deborah Peel, Patient Privacy Rights}